Use Fortanix Data Security Manager with BeyondTrust Password Safe

This document describes the steps to integrate Fortanix Data Security Manager (DSM) with BeyondTrust Password Safe. The integration is based on PKCS#11.

Password Safe allows users and applications to check-out passwords or sessions using passwords. Password Safe is also responsible for rotating the passwords for the privileged accounts it manages. For check-out operations, the passwords stored in Password Safe must be decrypted.  When Password Safe rotates or changes a password, the new value must be encrypted.  While Password Safe can use self-generated keys to encrypt and decrypt passwords, there are benefits associated with externalizing all encryption and decryption operations to Fortanix DSM.

Benefits for customers include the ability to monitor key usage, and also the ability to invalidate a key, even if access to Password Safe is not possible. Externalizing Password Safe keys to Fortanix DSM provides customers with additional security controls and flexibility, unlocking use cases including BYOK (Bring Your Own Key) and HOYK (Hold Your Own Key).

This quick step-by-step guide will help you configure a simple integration to allow Password Safe to externalize encryption and decryption operations to Fortanix DSM.

For more information, please see:

Prerequisites

This integration has been tested and is supported on:

  • Fortanix DSM 4.14 and later
  • Password Safe (BeyondInsight) 21.3 and later.  BeyondInsight is the underlying platform and web console for Password Safe.

Configure Fortanix DSM for Password Safe

To configure the integration:

Create a group in Fortanix DSM for a Password Safe integration.

  1. Create a group in DSM.

 

Create an app in Fortanix DSM for a Password Safe integration.

  1. Create an app in DSM. Note the API key that you will use for the PIN when configuring the HSM in the BeyondInsight Configuration tool.

 

  1. Download the Fortanix PKCS#11 client from this URL:  https://support.fortanix.com/hc/en-us/sections/4408769080724-PKCS-11

Download Fortanix DSM Windows client installer.

  1. Download the latest Windows 64-bit installer from Fortanix.

 

Locate the Fortanix DSM PKCS#11 driver and readme file.

  1. After installing the MSI on your BeyondInsight server or appliance, locate the PKCS#11 driver and a README.txt file.

 

  1. Use the BeyondInsight Configuration tool to configure HSM credentials. The PIN is the API key for the DSM app (see step 2).

 

In Password Safe, Test and Change Password for a Managed Account. 

  1. In Password Safe, test and change the password for a Managed Account.  You should see a Successful message at the bottom for each test and change.

 

In Fortanix DSM, find the key created by Password Safe.

  1. In DSM, find the new key created by Password Safe (with the name used earlier).

 

In Fortanix DSM, review the activity logs for the key to see Password Safe actions.

  1. The Activity Logs in the Key object in DSM confirms Decryption (Test Password) and Encryption (Change Password) operations are performed by Password Safe.